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Abstract. In this paper, we survey the status of attacks on the ring 
and polynomial learning with errors problems (RLWE and PLWE). Re¬ 
cent work on the security of these problems [EHL, ELOS] gives rise to 
interesting questions about number fields. We extend these attacks and 
survey related open problems in number theory, including spectral dis¬ 
tortion of an algebraic number and its relationship to Mahler measure, 
the monogenic property for the ring of integers of a number field, and 
the size of elements of small order modulo q. 

1. Introduction 

Public key cryptography relies on the existence of hard computational 
problems in mathematics: i.e., problems for which there are no known 
general polynomial-time algorithms. Hard mathematical problems related 
to lattices were hrst suggested as the basis for cryptography almost two 
decades ago ([A, AD, HPS]). While other better-known problems in public 
key cryptography such as factoring and the discrete logarithm problem are 
closely tied to computational number theory, lattice-based cryptography 
has seemed somewhat more distant. Recent developments, including the 
introduction of the ring-learning with errors problem instantiated in the 
ring of integers of a number held ([LPR]), have connected the area to new 
questions in computational number theory. 

At the same time, lattice-based cryptography has seen a dramatic surge of 
activity. Since there are no known polynomial time algorithms for attacking 
standard lattice problems on a quantum computer (in contrast to the case 
for widely deployed cryptographic systems such as RSA, discrete log, and 
elliptic curves), lattice-based cryptography is considered to be a promising 
cryptographic solution in a post-quantum world. 

One of the most exciting recent developments has been the construction 
of fully homomorphic encryption schemes ([Gen, BVa, BVb, BGV, GHS]) 
which allow meaningful operations to be performed on data without de¬ 
crypting it: one can add and multiply encrypted numbers, returning the 
encrypted correct result, without knowledge of the plaintext or private key. 
The addition and multiplication of ciphertexts is possible due to the ring 
structure inherent in polynomial rings: these translate into AND and OR 
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gates which can be used to build arbitrary circuits. Exciting applications 
include privacy problems in the health sector for electronic medical records, 
predictive analysis and learning from sensitive private data, and genomic 
computations ([LNV, GLN, BLN, LLN]). 

These new homomorphic encryption solutions are based on versions of 
hard “learning problems” with security reductions to and from standard 
lattice problems such as the shortest vector problem ([R]). The idea behind 
the whole class of learning problems is that it is hard to “learn” a secret 
vector, given only sample inner products of that vector with other random 
vectors, provided these products are obscured by adding a small amount of 
Gaussian noise (“errors”). 

The ring version, which we call Ring-LWE or RLWE, was introduced in 
[LPR], presenting a fundamental hardness result which can be described 
informally as follows: for any ring of integers R, any algorithm that solves 
the (search version of the) Ring-LWE problem yields a comparably efficient 
quantum algorithm that hnds approximately shortest vectors in any ideal 
lattice in R. 

Soon after the introduction of Ring-LWE, an efficient cryptosystem al¬ 
lowing for homomorphic multiplication was proposed in [BVa] based on a 
variant of the RLWE problem, the Polynomial Learning With Errors prob¬ 
lem (here denoted PLWE). Improvements to that cryptosystem (e.g. [BGV, 
GHS]) have followed in the same vein, with the same hardness assumption. 
The reader should note that the terminology of “Ring-LWE” vs. “Poly- 
LWE” is not entirely standard, and some authors use “Ring-LWE” to refer 
to a larger class of problems including both. 

We focus in this paper on PLWE, specified by the following choices: 

(1) a polynomial ring Pq = ¥q[x]/{f{x)), with f{x) a monic irreducible 
polynomial of degree n over Z which splits completely over ¥q, 

(2) a basis for the polynomial ring, which will often be taken to be 
a power basis in the monogenic case (in particular, the choice of a 
basis can be used to endow the ring with the standard inner product 
on the ring), 

(3) and a parameter specifying the size of the Gaussian noise to be 
added (the size of the “error”), spherical with respect to this inner 
product. 

We also focus on RLWE obtained from the same setup, but with the inner 
product instead given by the Minkowski embedding of a ring of integers of 
the form Z[x]/(/(a;)). More general situations, including the case where the 
defining polynomial for the number ring does not split modulo q, or the case 
where q is composite, or the distribution is non-spherical or non-Gaussian, 
are considered in the cryptographic literature, but the setup above will 
suffice for our present purpose, which is to give a number theorist an entree 
into the subject. 
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A key point is that for cryptographic applications, the errors mnst be 
chosen to be relatively small, to allow for correct decryption. For PLWE, 
“small” refers to the coefficient size (absolnte valne of the smallest residne), 
where the error is a polynomial, i.e. represented according to a polynomial 
basis for the ring. Bnt to relate RLWE to other standard lattice problems, 
[LPR] considers the embedding of the ring 'L[x\/{f{x)) into the real vector 
space nnder the Minkowski embedding (before rednction modulo g), and 
uses a Gaussian in M”’; this induces an entirely different distribution on the 
error vectors for general number rings. It was shown in [LPR] and [DD] 
that in the case of 2-power cyclotomic rings, the distributions are the same. 
However, in [ELOS] it was shown that in general rings the distortion of the 
distribution is governed by the largest singular value of the change-of-basis 
matrix between the Minkowski and the polynomial basis. Thus the RLWE 
and PLWE distributions are not equivalent in general rings. 

Although RLWE and PLWE for cyclotomic rings, particularly two-power 
cyclotomic rings, are the current candidates for practical lattice-based ho¬ 
momorphic encryption with ideal lattices, it will be important for a full 
study of their security to consider the RLWE and PLWE problems for gen¬ 
eral rings. This includes studying the two problems independently, and 
analysing their relationships via the distortion of distributions just men¬ 
tioned. One lesson from [ELOS] is that deviating from these recommended 
candidates can lead to an insecure system. 

The RLWE and PLWE problems are formulated as either ‘search’ or 
‘decision’ problems (see Section 2 below). A security reduction was pre¬ 
sented in [LPR] showing that, for any cyclotomic ring R, an algorithm for 
the decision version of the Ring-LWE problem yields a comparably efficient 
algorithm for the search version of the Ring-LWE problem. This search-to- 
decision reduction was subsequently extended to apply to any Galois field 
in [EHL]. 

In [EHL], an attack on PLWE was presented in rings Pq = ¥q[x]/{f{x)), 
where /(I) = 0 (mod q). In addition, [EHL] gives sufficient conditions on 
the ring so that the ‘search-to-decision’ reduction for RLWE holds, and also 
that RLWE instances can be translated into PLWE instances, so that the 
RLWE decision problem can be reduced to the PLWE decision problem. 
Thus, if a number field K satisfies the following six conditions simultane¬ 
ously, then the results of [EHL] give an attack on the search version of 
RLWE: 


(1) K = Q(/9) is Galois of degree n. 

(2) The ideal (g) splits completely in R = Ok, the ring of integers of 
K, and gf [R : Z[/?]]. 

(3) K is monogenic, i.e., the ring of integers R = Ok of K is generated 
by one element R = Z[/5]. 
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(4) The transformation between the canonical embedding of K and the 
power basis representation of K is given by a scaled orthogonal 
matrix. 

(5) If / is the minimal polynomial of /9, then /(I) = 0 (mod q). 

(6) The prime q can be chosen snitably large. 

The hrst two conditions are sufficient for the RLWE search-to-decision re¬ 
duction; the next two conditions are sufficient for the RLWE-to-PLWE re¬ 
duction; and the last two conditions are sufficient for the attack on PLWE. 
Unfortunately, it is difficult to construct number helds satisfying all six 
conditions simultaneously. In [EHL] examples of number helds were given 
which are vulnerable to the attack on PLWE. 

In [ELOS], the attack on PLWE was extended by weakening the condi¬ 
tions on /(x) and the reduction from RLWE to PLWE was extended by 
weakening condition (4). A large class of helds were constructed where 
the attack on PLWE holds and RLWE samples can be converted to PLWE 
samples, thus providing examples of weak instances for the RLWE problem. 

Exciting number theory problems often arise from cryptographic appli¬ 
cations. In this paper we survey and extend the attacks on the PLWE and 
RLWE problems and raise associated number theoretic questions. In Sec¬ 
tion 2, we recall the PLWE and RLWE problems. In Sections 3 and 4 we 
survey and extend the attacks on PLWE which were introduced in [EHL, 
ELOS]. In Section 5, we explain the reduction between the RLWE and 
PLWE problems. Finally in Section 6 we raise related questions in number 
theory; in particular, we investigate the spectral distortion of an algebraic 
number and its relationship to Mahler measure, the monogenic property 
for the ring of integers of a number held, and the size of elements of small 
order modulo q. 

2. The eundamental hard problems: PLWE and RLWE 

2.1. PLWE. Take f{x) G X[x] to be monic and irreducible of degree n. 
Suppose g is a prime modulo which /(x) factors completely (this is not nec¬ 
essary for the dehnition of the problem, but we will assume this throughout 
the paper). Write 

P := Z[x]//(x), P, := P/qP ^ Fjx]//(x). 

Let a G By a Gaussian distribution Q^, of parameter a, we mean a 

Gaussian of mean 0 and variance on P which is spherical with respect to 
the power basis 1, x, x^,..., x'^~^ of P. The prime q is generally assumed to 
be polynomial in n, sometimes as large as 2®° but in some applications much 
smaller (even as small as 2^^), and a is taken fairly small (perhaps <7 = 8), 
so that in practice the tails of the Gaussian will decay to negligible size well 
before its variable reaches size q. Since P has integer coordinates, we must 
‘discretize’ the Gaussian in an appropriate fashion; the result is simply 
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referred to as a discretized Gaussian. We will not go into the technical 
details in this paper, bnt instead refer the reader to [LPR], 

There are two standard PLWE problems, quoted here from [BVa]. The 
difficulty involves determining a secret obscured by a small error drawn 
from the discretized Gaussian. 

Problem 2.1 (Search PLWE Problem). Let s{x) & Pq he a secret. The 
search PLWE problem, is to discover s{x) given access to arbitrarily many 
independent samples of the form {ai{x),hi{x) := ai{x)s{x)+ei{x)) G PgXPg , 
where for each i, ei{x) is drawn from a discretized Gaussian of parameter 
a, and ai{x) is uniformly random. 

The polynomial s(a:) is the secret and the polynomials ej(x) are the errors. 
There is a decisional version of this problem: 

Problem 2.2 (Decision PLWE Problem). Let s(a;) E Pg be a secret. The 
decision PLWE problem is to distinguish, with non-negligible advantage, be¬ 
tween the same number of independent samples in two distributions on Pg x 
Pq. The first consists of samples of the form {a{x),b{x) := a(x)s(a;) + e(x)) 
where e(x) is drawn from a discretized Gaussian distribution of parameter 
a, and a{x) is uniformly random. The second consists of uniformly random 
and independent samples from Pg x Pg. 

Search-to-decision reductions were proved for cyclotomic number helds 
in [LPR] and extended to work for Galois number helds in [EHLj. Of 
course, the phrase ‘to distinguish’ must be interpreted to mean that the 
distinguisher’s acceptance probabilities, given PLWE samples versus uni¬ 
form samples, differ by a non-negligible amount. 

2.2. RLWE. The original formulation of the hard learning problem for 
rings, RLWE, presented in [LPR], was based on the ring of integers, R, of 
a number held. The authors studied a general class of problems where the 
error distribution was allowed to vary. 

Here we are concerned with only two choices of distributions. The hrst is 
to consider rings, R, which are isomorphic to a polynomial ring P, and study 
the PLWE problem (PLWE was stated as a “variant” of RLWE in [LPR] 
and [BVa]). The distribution in this case is with respect to the polynomial 
basis of one of its polynomial representations. 

The second is to choose the error according to a discretized Gaussian with 
respect to a special basis of the ambient space in which R was embedded 
via the Minkowski embedding. We will refer to this as RLWE. Therefore, 
in our language, when R is isomorphic to some polynomial ring P, RLWE 
differs from PLWE only in the error distribution. 

We will state the fundamental RLWE problems and then discuss the 
relationship between the RLWE and PLWE problems. Let K be number 
held of degree n with ring of integers R. Let Rf^ denote the dual of R, 

Rf^ = {a E K ■. Tr{ax) E Z for all x E R}. 
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Let us write Rq := R/qR and = R^/qR^. We will embed K in 
via the usual Minkowski embedding. The vector space is endowed with 
a standard inner product, and we will use the spherical Gaussian with 
respect to this inner product, discretized to R'^, as the discretized Gaussian 
distribution. We will refer to this as the canonical discretized Gaussian. 
This will not, in general, coincide with the discretized Gaussian dehned in 
PLWE for a. P = R, and this is the fundamental difference between the two 
problems. 

The standard RLWE problems for a canonical discretized Gaussian are 
as follows. 

Problem 2.3 (Search RLWE Problem [LPR]). Let s ^ R^ be a secret. 
The search RLWE problem is to discover s given access to arbitrarily many 
independent samples of the form (a, b := as + e) where e is drawn from the 
canonical discretized Gaussian and a is uniformly random. 

Problem 2.4 (Decision RLWE Problem [LPR]). Let s G he a secret. 
The decision RLWE problem is to distinguish with non-negligible advantage 
between the same number of independent samples in two distributions on 
RqX Rq . The first consists of samples of the form {a,b := as + e) where e is 
drawn from the canonical discretized Gaussian and a is uniformly random, 
and the second consists of uniformly random and independent samples from 

Rq X R^. 

An isomorphism between R and an appropriate polynomial ring P can 
be used to relate an instance of the RLWE problem to an instance of the 
PLWE problem. In particular, one requires R to be monogenic (having a 
power basis). Analysing the relationship between the two problems involves 
a close look at the change of basis under an isomorphism from R to the 
appropriate P. We will take up this issue in Section 5. 

3. Summary of Attacks 

In practice today, parameters for cryptosystems based on the RLWE and 
PLWE problems are set according to two known attacks, the distinguish¬ 
ing attack ([MR, RSj) and the decoding attack ([LP]). These attacks work 
in general for learning-with-error problems and do not exploit the special 
structure of the ring versions of the problem. In this paper, we will focus 
solely on the new attacks presented in [EHL] and [ELOS] that exploit the 
special number-theoretic structure of the PLWE and RLWE rings. 

The attacks presented in [EHL] and [ELOS] can be described in terms of 
the ring homomorphisms from Pq to smaller rings. As Pq = F”, the only 
candidates are the projections to each factor: 

TTa'. Pq-^ Fg, p{x) H- p{a) 
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for each root a of f{x). In the short vectors sampled by the Gaussian 
are easy to recognise since they have small coefficients. But they are hard 
to tease out of b{x) = a{x)s{x) + e{x) without knowledge of s{x), and the 
possibilities for s{x) are too many to examine exhaustively. By contrast, in a 
small ring like Fg, it is easy to examine the possibilities for s{a) exhaustively. 
And the ring homomorphism preserves the relationship of the important 
players: b{a) = a{a)s{a)+e{a). Hence we can loop through the possibilities 
for s(q;), obtaining for each the putative value 

e(a) = b{a) — a{a)s{a). 

The Decision Problem for PLWE, then, is solved as soon as we can recognize 
the set of e{a) that arise from the Gaussian. 

Unfortunately (or fortunately), one does not expect to be able to do 
this in general. Heuristically, let S <Z Pq denote the subset of polynomials 
that are produced by the Gaussian with non-negligible probability. In Pq, 
parameters are such that this is a small set. But Fg is a much smaller ring 
and one expects that generically, the image of S will ‘smear’ across all of 
Fg. Something quite special must happen if we expect the image of S to 
remain conhned to a small subset of Fg, and hence be recognisable. 

That ‘something special’ is certainly possible, however: suppose that 
a = 1. The polynomials g{x) E S have small coefficients, and hence have 
small images ^'(l) in Fg. This is simply because n is much smaller than 
q, so that the sum of n small coefficients is still small modulo q. More 
generally, all of the attacks suggested in [EHL] and [ELOS] come down to 
considering a with certain advantageous properties, so that the image of S 
can be recognised. 

The cyclotomic cases currently under consideration for PLWE and RLWE 
are uniquely protected against this occurrence: a = 1 is never a root modulo 
g of a cyclotomic polynomial of degree > 1 when q is sufficiently large. 

3.1. Attacking a = 1. The approach described above and the a = 1 
attack was first presented in [EHL]. The details are as follows. Suppose 

/(I) = 0 mod q. 

We are given access to a collection of samples {ai{x),bi{x)). We wish to 
determine if a sample is valid, of the form 

bi{x) = s{x)ai{x) + ei{x) 

for ei{x) produced by a Gaussian, or random (uniformly random). The 
algorithm is as follows: 

Algorithm 1: 

(1) Let the set of valid guesses be S' = Fg. 

(2) Loop through the available samples. For each sample: 

(a) Loop through guesses s G S' for the value of s(l). For each s: 
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(i) Compute Cj := 6^(1) — 50^(1) 

(ii) If Cj is not small in absolute value^ modulo q, then con¬ 
clude that the sample cannot be valid for s with non- 
negligible probability, and remove s from S. 

(3) If S' = 0, conclude that the sample was random. If S is non-empty, 
conclude that the sample is valid. 

If the guess s is correct, then = ej(l) = ^ij where are chosen 
from a Gaussian of parameter a. It follows that ej(l) are approximately 
sampled from a Gaussian of parameter ^/na where -C q. 

3.2. Attacking a of small order. The following attack described and 
developed in [EHL, ELOS] requires a to have small order mod q. The 
fundamental idea is the same as for the a = 1 attack, except that to discern 
whether or not ei{a) is a possible image of a Gaussian-sampled error is more 
complicated. 

Assume that = 1 mod q, then 

n 

e(tt) = ^ ^ CjO* = (e^ -[- e 2 r + •••) + ••• + -1- e 2 r—i + ■■■)• 

i=l 

If r is small enough, e(a) takes on only a small number of values modulo q. 
This set of values may not be easy to describe, but q is small enough that 
it can be enumerated and stored. The attack proceeds as for a = 1 except 
that to determine if a sample is potentially valid for s in step (2)(a)(ii), we 
compare to the stored list of possible values. 

4. Attacking a of small residue 

A third attack described in [ELOS] is based on the size of the residue 
ei{a) mod q. This is more subtle. Here, the errors e{a) may potentially 
take on all values modulo with non-negligible probability. But it may be 
possible to notice if the probability distribution across Fg is not uniform, 
given enough samples. 

This method of attack differs from the previous ones, but is also applica¬ 
ble to a = 1 and a of small order, so all cases will be treated together. 
Assume that 

f{a) = 0 mod q (1) 

for some a. Let Ei be the event that 

bi{a) — gai{a) mod q is in the interval [—g/d, q/A) 

for some sample i and guess g for s(a) mod q. We wish to compare the 
probabilities 

P{Ei \V = U) and P{Ei \ V = g^). 

^meaning residue of smallest absolute value 
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Here, T> = lA refers to the situation where hi is uniformily random, while 
V = refers to the situation where hi is obtained as a^s + for some 
secret s, where follows a Gaussian truncated at 2a (in practice, the 
Gaussian is truncated as the tails decay to negligible values). If V = U, 
then bi{a) — gai{a) is random modulo q for all guesses g, that is, 

P(£i |®=«) = ^. 

If V = Qa-, then bi{a) — s{a)ai{a) = ej(a) mod q. Indeed, the terms 
of bi{a) — s{a)ai{a) that are a multiple of / vanish at a modulo q by 
Assumption (1). We consider 

n—1 

j=0 

where Cij is chosen according to the distribution and distinguish three 
cases corresponding to 

( 1 ) a = ±1 

(2) a 7 ^ ±1 and a has small order r modulo q 

(3) a 7 ^ ±1 and a is not of small order r modulo q 

We will now drop the subscript i for simplicity. In Gase (1), the error e(a) 
is distributed according to where 

a = a\/n. 


In Gase (2), the error can be written as 

r—1 

e(tt) = ^ ^ CjCr* = (eo+CrA' ■ ■ )+o(ci+er+i+' • • )+• • ^(er_i+e 2 r— 1 +' ■ ■) 

i=0 

where we assume that n is divisible by r for simplicity. For j = 0, • • • , r — 1, 
we have that 

Cj “ 1 “ * * * “ 1 “ 

is distributed according to where 


in 

a = a\i 

r 


As a consequence e(a) is sampled from where 


)—1 r —1 


^2 ~2 2i 

a = ^a a = 2^ 


n 


■2„2i 


n oQ; 


2r _ ^ 


-a a = -a ——- 
r — 1 


i=0 i=0 

In Gase (3), the error e{a) is distributed according to where 


-2 


n—1 

E' 


.2„2i 


,a 


2n 


a = 2 _^ a a = a 
1=0 


— 1 
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If ^ > 2(T, then errors always lie in [—|, |) and 


p{E, \ v = g^) = i. 


Otherwise, assuming for simplicity that N 
have 


2a — q/2 

q 


is an integer, we 


p{E, \v = g^) 





In the situation where this value exceeds 1/2, i.e., P{Ei \ V = g„) ~ 2 ^ 

with e > 0, the following algorithm attacks PLWE. Let 


N 


^q + e^ 
2 


where £ is the number of samples observed. For each guess g mod g, we 
compute hi — gai mod g for i = 1, • • • ,£. We denote by C the number 
of elements obtained in the interval [—g/4, g/4). If C* < iV, the algorithm 
outputs 

V = U, 


otherwise, the algorithm outputs 


v = g^. 

In the analysis of the probability of success of the algorithm, we denote by 
B the binomial distribution and by E the cumulative Binomial distribution. 
li P = U, the algorithm is successful with probability 

P{C<N\V = U) = E{N-l;iq,^). 

If P = we denote by Cg the number of elements of the form hi — sai 
mod q in the interval [—g/4,g/4). In this case, the algorithm is successful 
with probability 


i 

P{C> N\V = g^) = J2 p (C - Cs > N - i) X P {Cs = i) 

i=0 

I 

= ^ (1 - P{N - i - 1, 1/2)) X B{i, £, 1/2 + e) 

i=0 
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When e > 0, the algorithm is successful since 

^{P{C < N\V = U) + P{C > N\V = g,)) 

= l(P{C <N\V^U) + 1- P(C < N\V = e,)) 

= i + \{P(C < N\V = f/) - P(C < N\V = g^)) > i 

Example 4.1. In Case (1), when n = q ^ and a = 8, we can 
compute e ~ 0.5. Therefore, the attack is successful for any irreducible 
polynomial of degree 2^° and with a root 1 mod q. 

In Case (2), when n = 2^, q ^ 2®°, a = 8, and a = q — 1, a has order 2 and 
we can compute e ~ 0.002. This is particularly interesting since there is 
an irreducible polynomial with these properties that generates a power of 
2 cyclotomic number field [ELOS]; however, it is not the usual cyclotomic 
polynomial. 

In Case (3), when n = 2^, q ^ 2®°, a = 8, and a = 2, computations 
show that e = 0.02. Therefore, this attack is successful for any irreducible 
polynomial of degree 2® with a root a = 2 modulo a prime q ~ 2®°. 

5. RLWE-to-PLWE reduction 

Suppose that iC is a number field, and R is its ring of integers. For 
technical reasons, we give a slight variant on the Minkowski embedding, 
which is as follows: 6 : K ^ M"' 

e{r) := (ai(r),...,a,i(r),i?e(a,i+i(r)),. Re{a 

S1+S2 ('^))) 

where the cTj are the si + S 2 embeddings of K, ordered so that the si real 
embeddings are first, and the S 2 complex embeddings are paired so that 

^si-\-k ^siH-S2+/c* 

A spherical Gaussian of parameter a with respect to the usual inner 
product on M” can be discretized to the canonical discretized Gaussian on 
R or its dual R'^. 

Suppose R = P for some polynomial ring P under a map a x for 
some root a of f{x). Suppose further that R is monogenic. Then R'^ = P 
also as R-modules (as its different ideal is principal). For RLWE, M ® R'^ 
is equipped with a basis R, i = 0,... ,n — 1 with respect to which the 
Gaussian is spherical (the standard basis of M**, pulled back by 6). For 
PLWE, M 0 P is equipped with such a basis also, i.e., the standard power 
basis x*, f = 0,..., n — 1. To relate the two problems, one must write down 
the change-of-basis matrix between them. It is the matrix 

Na := 7M“^ : M 0 -)■ M 0 P 
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where 7 is such that = jR, and where is the matrix with columns 
[a*]b (i.e., the i-th column is the element a® represented with respect to the 
basis b = {bj}). 

The properties of determine how much the Gaussian is distorted in 
moving from one problem to the other. If it is not very distorted, then 
solving one problem may solve the other. 

Details are to be found in [ELOS], but in short, the normalized spectral 
norm gives a good measure of ‘distortion’. This is defined for an n x n 
matrix M by 

||M|| 2 /det(M)i/T 

6. Number Theoretical Open Problems 

In this section we will describe a number of open problems in number 
theory that are motivated by attacks to PLWE and RLWE, some very 
speculative and some more precise. 

6.1. Conditions for smearing. As described in Section 3, we are con¬ 
cerned with the map 

7 r:Pg-)-Fg, g{x)^g{a). 

Question 6.1. For which subsets S C Pg, is the image vr(iS) = Fg? 

If vr(iS) = Fq, we will say that S smears under vr. 

Partial solutions to this problem may come in a wide variety of shapes. 
For example, can one prove that almost all iS of a given size smear? Can 
one characterise the types of situations that lead to a negative answer (e.g. 
0 = 1 and S consisting of polynomials of small coefficients)? What if we 
restrict to the PLWE case, where S consists of polynomials with small coef¬ 
ficients? Or the RLWE case, where S is the image of a canonical discretized 
Gaussian? 

6.2. The spectral distortion of algebraic numbers, and Mahler 
measure. By Section 5, the normalized spectral norm of Na is a prop¬ 
erty of any algebraic number a for which Z[a] is a maximal order. We will 
therefore denote it pa, and call it the spectral distortion of a. It measures 
the extent to which the power basis a® is distorted from the canonical basis 
of the associated number field. Recall from Section 5 that for number rings 
with small spectral distortion we expect to have an equivalence between the 
RLWE and PLWE problems. For completeness, we state a slightly more 
general definition, separate from its cryptographic origins, as follows: 

Definition 6.2. Let a be an algebraic number of degree n and K = Q(a). 
Let M be the matrix whose columns are given by 6 ^( 0 ®), where 9 \ K ^ M®®, 

9{r) = (cri(r),..., cr^^(r),Pe(a^i+i(r)),. ..Re{a 

/m(a,i+i(r)),..., Im{as^+S2{r))) 
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where the cxj are the Si + S 2 complex embeddings of K, ordered so that the 
Si real embeddings are hrst, and the S 2 complex embeddings are paired so 
that (Jsj+fc = (Jsj+s 2 +fc- The spectral distortion of a is | |M| | 2 /(det(M))E. 

Question 6.3. What are possible spectral distortions of algebraic numbers? 

It follows from the special properties of 2-power roots of unity that they 
have spectral distortion equal to 1. However, even other roots of unity 
do not have spectral distortion equal to 1 (and this is what necessitates 
the more elaborate RLWE-to-PLWE reduction argument given in [DD] for 
cyclotomic rings which are not 2-power cyclotomics). 

Is the spectral distortion a continuum, or is the collection of values dis¬ 
crete in regions of M? Does this relate to Mahler measure? 

The Mahler measure of a polynomial can be dehned as the product of the 
absolute values of the roots which he outside the unit circle in the complex 
plane, times the absolute value of the leading coefficient. For a polynomial 

f{x) = a{x — ai){x — 02 ) ■ ■ ■ {x — an) 
the Mahler measure is 

Tf(/) := l«l n l“*l- 

|ai|>l 

The Mahler measure of an algebraic number a is dehned as the Mahler 
measure of its minimal polynomial. 

Interestingly, polynomials which have small Mahler measure (all roots 
very close to 1 in absolute value), seem to have small spectral distortion. For 
example, consider “Lehmer’s polynomial”, the polynomial with the smallest 
known Mahler measure greater than 1: 

f{x) = + x^ — x'^ — x^ — x^ — x'^ — x^ X 1. 

The Mahler measure is approximately 1.176, and the spectral distortion for 
its roots is approximately 3.214. This spectral distortion is rather small, and 
compares favorably for example with the spectral distortion for 11*^ roots 
of unity, which is approximately 2.942. Other examples of polynomials 
with small Mahler measure also have small spectral distortion: f{x) = 

— X -|- 1 has Mahler measure approximately 1.324 and spectral distortion 
approximately 1.738. 

To explain the phenomenon observed for polynomials with small Mahler 
measure and to relate the Mahler measure to the spectral norm, we need 
to have some estimate on the spectral norm in terms of the entries of the 
matrix. The entries of the matrix M are powers of the roots {aj} of the 
minimal polynomial. When the Mahler measure is small, the entries of 
the matrix M have absolute value close to 1, since the absolute values of 
the roots are as close as possible to 1. To make the connection with the 
spectral norm more precise, [N] gives an improvement on Schur’s bound and 
expresses the bound on the largest singular value in terms of the entries of 
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the matrix. Thus we can use Schur’s bound or this improvement to see that 
polynomials with small Mahler measure must have relatively small spectral 
norm. 

It could also be interesting to look at other properties of M, such as the 
entire vector of singular values of M, its conditioning number, etc. 

6.3. Galois versus Monogenic. We say that is mono^'emc if the ring of 
integers i? of it' is monogenic, i.e., a simple ring extension Z[/9] of Z. In this 
case, K will have an integral basis of the form {1, /?, ..., which is 

called a power integral basis. In this section we will focus on properties (1) 
and (4) from the introduction. 

Example 6.4. The following are examples of number fields that are both 
Galois and monogenic: 

• Cyclotomic number fields, K = Q(Cn) where (^n is a primitive nth 
root of unity, 

• Maximal real subfields of cyclotomic fields, K = Q(Cn + 

• Quadratic number fields K = Q(\/d). 

Question 6.5. Are there fields of cryptographic size which are Galois and 
monogenic, other than the cyclotomic number fields and their maximal real 
subfields? How can one construct such fields explicitly? 

The problem of characterizing all number fields which are monogenic goes 
back to Hasse, however, a complete solution is not known to date. Here we 
will summarize some of the known related results. 

Proposition 6.6. [NS] Let p be a prime and K a Galois extension o/Q of 
degree n. Let e be the ramification index of p and f be the inertia degree of 
p. If one of the conditions below is satisfied then K is not monogenic: 

• If f = 1: ep < n 

• -f/ / > 2 .• ep-f < n + e — 1 

Let K he & Galois extension of prime degree £. (Such extensions are 
called cyclic extensions.) The following result of Gras [G] states that cyclic 
extensions are often non-monogenic. 

Theorem 6.7. [G] Any cyclic extension K of prime degree i > 5 is non- 
monogenic except for the maximal real subfield of the {2i-\-l)-th cyclotomic 
field with prime conductor 2^ + 1. 

Theorem 6.8. [G2] Let n > 5 be relatively prime to 2,3. There are only 
finitely many abelian number fields of degree n that are monogenic. 

For number fields of smaller degree it may be possible to give a complete 
characterization. For instance, for cyclic cubic extensions K, Gras [G3] 
and Archinard [Ar] gave necessary and sufficient conditions for K to be 
monogenic. 
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Even though monogenic fields are rare in the abelian case for large degree, 
Dummit and Kisilevsky [DK] have shown that there exist infinitely many 
cyclic cubic fields which are monogenic. A result of Kedlaya [K] implies that 
there are infinitely many monogenic number fields of any given signature. 
In fact, we expect monogenicity frequently: if / is an irreducible polynomial 
with squarefree discriminant then the number field K obtained by adjoining 
a root of / to Q is monogenic. For polynomials of fixed degree > 4 whose 
coefficients are chosen randomly, it is conjectured that with probability 
> 0.307, the root will generate the ring of integers of the associated number 
field [K]. However, to require K also to be Galois is much more restrictive. 
Moreover, for fields of cryptographic size {n ~ 2^*^), the discriminant of / 
is too large to test whether it is squarefree. Therefore testing whether an 
arbitrary number field of cryptographic size is monogenic is not known to 
be feasible in general. 


6.4. Finding roots of small order mod p. We have seen that a root of 
small order of f{x) modulo q provides a method of attack on the PLWE 
problem in the ring Zg[a;]/(/(x)). The attack is even more effective if, in 
addition, this root is small as a minimal residue modulo q (‘minimal’ mean¬ 
ing the smallest in absolute value). See Example 4.1, Case(3) in Section 4. 
Cyclotomic fields are protected against this attack by the observation that 
the roots of a cyclotomic polynomial modulo q are of full order n. However 
for ‘random’ polynomials, there is a priori no particular reason to expect 
roots of any particular order modulo q, or to expect the roots to be small. 
Motivated by these two requirements, it is natural to ask the following 
question: 

Question 6.9. For random polynomials f{x) and random primes q for which 
f{x) has a root a modulo q, what can one say about the order of a modulo 
g? 


A special case of this question, for / monic of degree one, is to ask, for 
a fixed a, how often is a a primitive root modulo pi A famous conjecture 
of Artin states that this should happen for infinitely many p provided a is 
not a perfect square or —1, and describes the density of such primes. This 
has been the subject of much research, and the question above is a sort of 
number field analogue. Some investigations in the direction of a number 
field analogue of Artin’s conjecture exist; for a gateway to the literature, 
see [MP, S]. 

Computationally, to locate polynomials having a small root of small or¬ 
der, it is easiest to start with the desired order, find a suitable g, and then 
build the polynomial. The algorithm is as follows: 

Algorithm 2 
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Input: Integers r,n,qQ such that r > 2 represents the desired order, 
n > 1 represents the desired degree, and Qq > log 2 (n) represents the desired 
bitsize of q. 

(1) Let s be the degree of the cyclotomic polynomial 

(2) Let a = 1 (our candidate for the element of order r mod q). Test 
<I>r(a) for primality. If it is a prime of approximate bitsize qo, let q 
be this prime. Otherwise, increment a and try again. 

(3) Once a and q are hxed, choose a set S oi n elements of JjjqL that 
includes a and the other n — 1 smallest minimal residues (or choose 
any other subset of residues). 

(4) Choose i = 1 and increment i until the polynomial 

fi.^) = - s) + qi 

ses 

of degree n is irreducible. 

Output: A monic irreducible polynomial f{x) G Z[x], a prime q roughly 
of size go, such that / splits modulo g, and a G Z/gZ such that /(a) = 
0 (mod g) and = 1 (mod g). 

Note that if one wishes to relax the condition that / splits modulo g, one 
could take f{x) = {x — a)"' + g, which is irreducible, to avoid Step 4. 

Using this method, it is easy to hnd examples of {K, q) such that f{x) has 
a root of small order modulo g. Among them, an example of cryptographic 
size is afforded by n = 2^°, r = 3, a = 33554450, g = 1125901148356951 
and i = 1 (the polynomial is too unwieldy to print here). Using the last two 
parts of the method, one can, in fact, easily construct polynomials having 
as roots many elements of small order modulo g. 

A simpler starting point is the following second question: 

Question 6.10. What is the distribution of elements of small order among 
residues modulo g? 

There is a signihcant body of research on the distribution of primitive 
roots (see Artin’s conjecture) and quadratic residues. More recently there 
have been advances on the distribution of elements of small order. For 
example, the number of elements of bounded size and specihed order is 
bounded above in [BKS2]; see also [Bour, BKS, KS]. More useful in our 
present context, for the purposes of hnding elements of small order, would 
be a guarantee that such elements exist in some small interval. 

A more precise question is as follows: 

Question 6.11. What is the smallest residue modulo a prime g which has 
order exactly r ? 

Let g be a prime and r > 2. Let Ur^q represent the smallest residue modulo 
g which has order exactly r. A hrst observation is the following (which 
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allows us to choose a more suitable starting point for a in the algorithm 
above). 

Proposition 6.12. Let (p{r) represent the Euler function, giving the num¬ 
ber of positive integers less than and coprime to r. Then, if r has at most 
two distinct prime factors, which are odd, then 

\nr,q\ > 

Proof. The element Ur^q is a root of the r-th cyclotomic polynomial, of 
degree (p{r), modulo q. Since ^r{nr,q) 7 ^ 0 as an integer relation, it must 
be that 1$^ I > q- It is known that under the given hypotheses on 
the factorisation of r, the coefficients of are chosen from {±1,0} ([M]). 
Therefore ^ from which the result follows. □ 

In general, combining upper and lower bounds on Ur^q would limit the 
search space for an element of small order. 

Remark 6.13. (1) Other restrictions on the coefficients of give rise to 

similar results. To derive an asymptotic statement, one could turn 
to asymptotic results such as [E2]. 

(2) The case of r = 3, the study of 773 ^^ gives the full story, as the cube 
roots of unity are of the form 

I5 ^3,95 ^ 3 ,g 1- 

(3) In general, the primes q such that Ur^q = a for a hxed a and r are 

among those dividing hence there are hnitely many. 

(4) Elliott has some results on fc-th power residues [El]. 

We will call Ur^q minimal if, in addition to being the smallest residue of 
order r modulo q, it also satishes ^r{nr,q) = ± 5 '. For non-minimal Ur^q, the 
lower bound in Proposition 6.12 increases. A conjecture of Bouniakowski 
implies that minimality happens inhnitely often. 

Conjecture 6.14 (Bouniakowski, [Bonn]). Let f{x) G 7^[x] be a non¬ 
constant irreducible polynomial such that f{x) is not identically zero modulo 
any prime p. Then f{n) is prime for infinitely many n G Z. 

Proposition 6.15. Let r > 2. If Bouniakowski’s Conjecture holds, then 
there are infinitely many primes q for which Ur^q is minimal. 

Proof of Prop 6.15. The cyclotomic polynomials for r > 1 satisfy the Bou¬ 
niakowski conditions, as they are irreducible and *hr(l) ^ 0 (mod p) since 1 
is not of exact order r modulo any p. Hence ‘hr ( 2 ^) takes on inhnitely many 
prime values; for such a prime q, the smallest such x in absolute value is 
nr,q and this is minimal. □ 
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